cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you adding the custom objects to your SAP GRC Ruleset ?

Former Member

on ‎06-21-2013 7:42 PM

0 Kudos

The GRC Tool is tracking only a portion of your segregation of duties (SoD) and transaction risks if you have
not added your custom transactions to the SAP rule set. The rule set tracks risks created by conflicts between two transactions and risks created by the transaction itself.

SAP GRC functionality comes with a default rule set that contains segregation of duties (SoD) transactions and critical action
transactions. However, this SAP GRC rule set includes only transactions created by SAP, not the custom transactions created by the company that is using the SAP system.

Most of the companies ignore the custom programs and table in the system thinking they are usually reports. This is far from the truth.

Presence of such codes (such as Z codes, Z objects and Z tables) may create significant additional SoD exposure in the SAP HR and
payroll system over what is presented in this report. For example, a sampling of Z codes revealed that many of the custom transaction descriptions are false. Most descriptions indicated "display" only capability when in fact many custom transactions actually had the capability to "change"
and/or "create" within the SAP system

Process for mapping the custom transaction to SAP GRC Rule set:

  1. Classify the custom transactions into display Transactions and change / update transactions or configuration transactions.
  2. At a minimum make sure that the custom transactions which are change / update and configuration related can only be executed by
    their own transaction.
  3. Now identify functionality of the transaction and try to associate with the exiting SAP Transaction.
  4. Sometimes it will be easy as it may be direct copy of the sap transaction with some functionality changes but most of the times you may have to talk to the developer and understand the functionality and relate it to the SAP Functionality  

Once you identified the functionality then you can create a new Function if you do not have the function in the rule set or add
the custom transaction to existing rule set.

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

former_member193066
Active Contributor
‎06-24-2013 11:12 AM
0 Kudos

True, This has been the practise  since Virsa as well.

Ztcodes called as coupled tcodes. which will not be part of any ruleset. you have to identify functionalities and map to existing or create a new risk.

every company build transaction based on thier requirement they may not need standard tcodes.

some company goes with cuztomize rule set they dont need sap standard ruleset  , during those time work with devloper business leads and internal auitor to build ruleset.

Regards,

Prasant K Paichha

Show replies
Show replies
Former Member
‎03-28-2016 10:49 PM
0 Kudos

Hi Prasant,

I understand adding Ztcodes and custom objects to the SAP GRC Ruleset.  Is there any existing practice for adding SAP Business Workflow work items to the SAP GRC Ruleset.  For example, you would identify functionalities of a Workflow work item and map to existing or create a new risk.

Are there any existing practices, white papers, conversations, blogs for GRC SoD control, monitoring, and mitigation of Workflow work items?  For example, a Workflow work item for Approving Funds could be analyzed and possibly mapped to an existing or create a new risk.

Thank you very much,

Sheldon Oxenberg

Former Member
‎04-04-2016 1:35 PM
0 Kudos

Hi Sheldon,

With standard functionality , we are not able to extract data from work item & mapp it to SAP GRC rule set,

but with customization we can achieve the same.

Thanks

Amit Nanaware

Ask a Question